Re: [leaf-user] RAM disks

2004-03-22 Thread Erich Titl 
Hi

At 07:57 22.03.2004 +, Shango wrote:
>How can I change the amount of RAM allocated to a RAM disk
>in Bering 1.2? I've searched & researched...

the mail archive is a useful tool in these circumstances...

http://leaf.sourceforge.net/doc/guide/biaddrm.html

cheers

Erich

THINK 
Püntenstrasse 39 
8143 Stallikon 
mailto:[EMAIL PROTECTED] 
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] RAM disks

2004-03-22 Thread Oliver Ertl 
Hello,

try to add or change the following entries in the syslinux.cfg file
"syst_size=26M log_size=8M tmp_size=4M"

Where syst_size is /dev/root log_size is /var/log and tmp_size is 
/tmp . M means megabytes.

Regards,
Oliver Ertl

On Monday 22 March 2004 08:57, Shango wrote:
> How can I change the amount of RAM allocated to a RAM disk
> in Bering 1.2? I've searched & researched...
>
> In my LEAF box most of the memory is allocated to /tmp -
> it would be useful to allocate more to /dev/root and
> /var/log.
>
> Where does one change these?
>
> Regards,
> Shango Oluwa



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] nameresolution fail with multipath

2004-03-22 Thread Ronny Aasen 
On Wed, 2004-03-17 at 15:17, Ronny Aasen wrote:
> hello
> 
> I am trying to set up an redundant multipath network
> looks something like this
> 
> ---  ---
> | gw1 |--| gw2 | --
> DEFGW---| |  | |-| Laptop |
> | |--| | --
> ---  ---
> 
> and the routertable shows multipath routes
> 
> now eveything works as expected i guess
> the laptop can browse the net and things seam ok
> the laptop and the gw's all use the same nameserver that sits in the
> DEFGW 
> 
> but
> 
> following command fails on gw2
> # nslookup www.vg.no [ip of any nameserver]
> 
> and also every command that need nameresolution fail to work
> 
> 
> but if i cut one of the multipath links and wait for the ospfd to remove
> the multipath routes
> like this 
> 
> ---  ---
> | gw1 |--| gw2 | --
> DEFGW---| |  | |-| Laptop |
> | |--| | --
> ---  ---
> 
> or
> 
> ---  ---
> | gw1 |--| gw2 | --
> DEFGW---| |  | |-| Laptop |
> | |--| | --
> ---  ---
> 
> then nameresolution function as expected
> 
> in all 3 scenarioes i can ping the nameserver ok from all boxes.
> 
> hope someone have a clue to give me :)

seams turning off spoofprotect in /etc/network/options fixes this
problem.

yay! :)

-- 
Ronny Aasen <[EMAIL PROTECTED]>



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Updated SSH packages

2004-03-22 Thread Erich Titl 
Dave

At 15:34 19.03.2004 +, Dave Hunt wrote:

>Hi All,
>Does anyone have more recent versions of the ssh/sshd/sftp packages?
>There's a security advisory
>(http://www.openssl.org/news/secadv_20040317.txt) 
>that affects the current versions in 
>use at http://leaf.sourceforge.net/devel/jnilo/

I guess you are using Bering. I have compiled the latest sshd using openssl 0.9.7d and 
the latest libz, but as opposed to Jacques I built it with dynamic linking.

This requires libz.lrp libnsl.lrp libcrypt.lrp and sshd.lrp. A statically compiled 
sshd.lrp according to Juan Jesus Prieto is 


Hi Erich,
Yes, it should run into your Bering-1.2 box, but the problem is the size of 
the package: 976k for sshd.lrp, although if you use a CF or a cdrom boot, 
there are no problem.


Here are the sizes for the newly compiled stuff (slink.)

-rw-r--r--1 root root   444769 2004-03-22 14:27 libcrypt.lrp
-rw-r--r--1 root root 8087 2004-03-22 14:27 libnsl.lrp
-rw-r--r--1 root root89010 2004-03-22 14:27 libssl.lrp
-rw-r--r--1 root root36293 2004-03-22 14:27 libz.lrp
-rw-r--r--1 root root   134257 2004-03-22 14:27 sshd.lrp

If you want to try this let me know, it works for me

cheers
Erich

THINK 
Püntenstrasse 39 
8143 Stallikon 
mailto:[EMAIL PROTECTED] 
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Which Distro for This Firewall/Router?

2004-03-22 Thread Calvin Webster 
On Fri, 2004-03-19 at 15:01, Eric Spakman wrote:
> Calvin,
> 
> Too give some extra information about Bering-uClibc packages that can 
> be used for the asked functionality.
>  
> > Here is a summary of the functionality required:
> > 

Thank you very much for pointing to the specific modules. That will help
focus my efforts.

> > Port Knocking to trigger remote vpn/ssh access
> ?
> 

I'm referring to the method of accessing closed external ports using a
predefined sequence of connection attempts across one or more ports. As
described in the Jun 2003 SysAdmin article, "The log is monitored for
specific port sequences that encode information used to modify firewall
rules, which are changed to open or close ports for a specific IP
address." I'm certain this will be possible using LEAF.

> > Fastest available link should be chosen when redundant paths exist.
> > 
> not currently implemented (multipath) but on the todo list for the 
> zebra (quagga) packages.

It was my understanding that BGP would take care of this. Maybe I didn't
accurately describe my parameters. When I said "fastest link" I meant
the one with the most available bandwidth at a given point in time.
Linux magazine recently had a pretty good article about dynamic routing
protocols.In the Mar 2004 issue it clearly describes load balancing
capabilities of BGP-4.

If my understanding of BGP is correct, what is it that you are saying is
not currently implemented?

Thank you for your detailed response.

--Cal Webster



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Updated SSH packages

2004-03-22 Thread Dave Hunt 

> Here are the sizes for the newly compiled stuff (slink.)
> 
> -rw-r--r--1 root root   444769 2004-03-22 14:27 
> libcrypt.lrp
> -rw-r--r--1 root root 8087 2004-03-22 14:27 libnsl.lrp
> -rw-r--r--1 root root89010 2004-03-22 14:27 libssl.lrp
> -rw-r--r--1 root root36293 2004-03-22 14:27 libz.lrp
> -rw-r--r--1 root root   134257 2004-03-22 14:27 sshd.lrp
> 
> If you want to try this let me know, it works for me

Sure, Erich. Have you a link to somewhere I can download them? 

Regards,
Dave.






---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Updated SSH packages

2004-03-22 Thread Erich Titl 
Dave

At 14:50 22.03.2004 +, you wrote:

>> Here are the sizes for the newly compiled stuff (slink.)
>> 
>> -rw-r--r--1 root root   444769 2004-03-22 14:27 
>> libcrypt.lrp
>> -rw-r--r--1 root root 8087 2004-03-22 14:27 libnsl.lrp
>> -rw-r--r--1 root root89010 2004-03-22 14:27 libssl.lrp
>> -rw-r--r--1 root root36293 2004-03-22 14:27 libz.lrp
>> -rw-r--r--1 root root   134257 2004-03-22 14:27 sshd.lrp
>> 
>> If you want to try this let me know, it works for me
>
>Sure, Erich. Have you a link to somewhere I can download them? 

Try 

http://www.think.ch/leaf/wrap/packages/

look for the packages with a date 22-Mar-2004

Do not forget to modify your lrpkg.cfg, you need a few more packages like libnsl and 
libcrypt
pls keep me updated
cheers

Erich

THINK 
Püntenstrasse 39 
8143 Stallikon 
mailto:[EMAIL PROTECTED] 
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Which Distro for This Firewall/Router?

2004-03-22 Thread Eric Spakman 
Cal,

> > > Port Knocking to trigger remote vpn/ssh access
> > ?
> > 
> 
> I'm referring to the method of accessing closed external ports using a
> predefined sequence of connection attempts across one or more ports. As
> described in the Jun 2003 SysAdmin article, "The log is monitored for
> specific port sequences that encode information used to modify firewall
> rules, which are changed to open or close ports for a specific IP
> address." I'm certain this will be possible using LEAF.
> 
This should be possible but I never have seen specific programms for 
this purpose. Maybe snort (snort.lrp) or portsentry (psentry.lrp) 
will do this job. 

> > > Fastest available link should be chosen when redundant paths exist.
> > > 
> > not currently implemented (multipath) but on the todo list for the 
> > zebra (quagga) packages.
> 
> It was my understanding that BGP would take care of this. Maybe I didn't
> accurately describe my parameters. When I said "fastest link" I meant
> the one with the most available bandwidth at a given point in time.
> Linux magazine recently had a pretty good article about dynamic routing
> protocols.In the Mar 2004 issue it clearly describes load balancing
> capabilities of BGP-4.
> 
> If my understanding of BGP is correct, what is it that you are saying is
> not currently implemented?
> 
The following compile setting is left to default (1), but will be set 
to 0 with the next release.

--enable-multipath=ARG
Enable support for Equal Cost Multipath. ARG is the maximum number of 
ECMP paths to allow, set to 0 to allow unlimited number of paths. 

But that has indeed nothing todo with selecting the fastest link, if 
the cost are different the fastest link will be choosen by the 
routing daemon.

Regards,
Eric Spakman


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Which Distro for This Firewall/Router?

2004-03-22 Thread Erich Titl 
Cal

At 09:47 22.03.2004 -0500, you wrote:
>On Fri, 2004-03-19 at 15:01, Eric Spakman wrote:
>> Calvin,
>> 
>> Too give some extra information about Bering-uClibc packages that can 
>> be used for the asked functionality.
>>  
>> > Here is a summary of the functionality required:
>> > 
>
>Thank you very much for pointing to the specific modules. That will help
>focus my efforts.
>
>> > Port Knocking to trigger remote vpn/ssh access
>> ?
>> 
>
>I'm referring to the method of accessing closed external ports using a
>predefined sequence of connection attempts across one or more ports. As
>described in the Jun 2003 SysAdmin article, "The log is monitored for
>specific port sequences that encode information used to modify firewall
>rules, which are changed to open or close ports for a specific IP
>address." I'm certain this will be possible using LEAF.

Sure if you port the software. 
I'd rather use a monitoring channel through an IPSEC connection to the firewall, or 
allow access through ssh using RSA.

my 0.02

Erich

THINK 
Püntenstrasse 39 
8143 Stallikon 
mailto:[EMAIL PROTECTED] 
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] doubt?

2004-03-22 Thread Andrius Dal Pizzol 
 By chance it does work of AP?  

and is a same diskette alone?

___

Andrius Dal Pizzol

Suporte Operacional

MicroMatix

- 92136785

- (51) 30325132

- [EMAIL PROTECTED]



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Which Distro for This Firewall/Router?

2004-03-22 Thread Calvin Webster 
On Mon, 2004-03-22 at 10:57, Eric Spakman wrote:
> Cal,
> 
> > > > Port Knocking to trigger remote vpn/ssh access
> > > ?
> > > 
> > 
> > I'm referring to the method of accessing closed external ports using a
> > predefined sequence of connection attempts across one or more ports. As
> > described in the Jun 2003 SysAdmin article, "The log is monitored for
> > specific port sequences that encode information used to modify firewall
> > rules, which are changed to open or close ports for a specific IP
> > address." I'm certain this will be possible using LEAF.
> > 
> This should be possible but I never have seen specific programms for 
> this purpose. Maybe snort (snort.lrp) or portsentry (psentry.lrp) 
> will do this job. 

I've written Perl scripts to monitor logs in the past. Should just be a
matter of triggering the "rule-mod" event on log content, then getting
the daemon to re-read the rules.

> > > > Fastest available link should be chosen when redundant paths exist.
> > > > 
> > > not currently implemented (multipath) but on the todo list for the 
> > > zebra (quagga) packages.
> > 
> > It was my understanding that BGP would take care of this. Maybe I didn't
> > accurately describe my parameters. When I said "fastest link" I meant
> > the one with the most available bandwidth at a given point in time.
> > Linux magazine recently had a pretty good article about dynamic routing
> > protocols.In the Mar 2004 issue it clearly describes load balancing
> > capabilities of BGP-4.
> > 
> > If my understanding of BGP is correct, what is it that you are saying is
> > not currently implemented?
> > 
> The following compile setting is left to default (1), but will be set 
> to 0 with the next release.
> 
> --enable-multipath=ARG
> Enable support for Equal Cost Multipath. ARG is the maximum number of 
> ECMP paths to allow, set to 0 to allow unlimited number of paths. 
> 
> But that has indeed nothing todo with selecting the fastest link, if 
> the cost are different the fastest link will be choosen by the 
> routing daemon.

So, to get this functionality now, I'd need to set this flag
appropriately and recompile. In my example topology, 3 of the routers
have 2 paths to each of the other two. I don't think I currently have
more than 2 links to the same destination. However, depending upon the
reliability of these, we may add an on-demand dial-up link for
emergencies. We also may have access to building-to-building fiber links
sometime in the future as well. Any idea when the next release will be
out?

So, as long as I have multi-paths set to greater than 1, the routing
daemons should be able to accomplish load balancing of the links.

Thanks!

--Cal Webster



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] test

2004-03-22 Thread LaRoy McCann 
Testing



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Dachstein routing to squid

2004-03-22 Thread LaRoy McCann 
I have spent all weekend looking and trying to figure out how to make this 
work.  Now it is time to ask for help.

I have Dachstein CD running as a proxy-arp firewall for a system.  Is it 
possible to have the firewall redirect all port 80 requests from the DMZ 
(eth2) and send them to port 3128 on another box (Squid-cache) in the 
DMZ.  And then accept the requests from the Squid box to the internet (eth0).

I know this is probably easier using Bearing, but I have not taken the time 
to try that.  I have always used Dachsetin.

I have looked thru network.conf and can not find any rules for redirect or 
forwarding within the same interface, just from one interface to the other. 
I have even tried to add an ipmaskadm rule manually and it did not 
work.  Do I need to place the squid box on the internal interface?

If someone is doing this now, could you please post the info or a link to 
some info showing the correct settings.

Thanks in advance

LaRoy McCann 



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Which Distro for This Firewall/Router?

2004-03-22 Thread Calvin Webster 
On Mon, 2004-03-22 at 11:39, michiel wrote:
> Dear cal.
> 
> My few cent for this layout.
> Hardware:
> I had some problems with a incompatble 3com 3C905 carts.(don't now wy)
> check them before you start.

3Com NICs have proven pretty reliable for me, but I always take them
through the diagnostics before using them. I know the 2.4 kernel modules
can handle them.

> I think that the "old" hardware is even to fast for this setup.
> I like to use old pentium 166 for routers becouse you can down clock
> them to slower machiens that produse less head and need no active
> cooling. (every moving part gives trouble after a wile)
> Also posible to overclock the pci bus from 33 to 40mhz. ( I have not don
> it jet but I am planning a test setup.)
> The pci bus has its limitations I think you will find those faster then
> the processor speed.

Two main reasons for the selection of "New Hardware": (1) rack-mount,
passive backplane chassis allows simple SBC (CPU) changes & dual cooling
fans, and (2) DiskOnChip modules or Flash RAM replace hard drives.
Choice of SBC determined by availability of DOC sockets, integrated
controllers, RAM, and cost.

> Myself I stoped using diskdrive's for the os. My 3 routers were standing
> in a non heated envirment and after a cold period the disk were always
> damaged. Using old 170mb hd for it now. Just using 4.7mb of space on
> them.
> Using 32mb of memory and still a lot of space left

I'm only using the hard drives for initial building, configuration, and
testing. They'll be removed in the new machines when they'll boot and
run from DOC.


> Layout:
> In youre setup the routers wil be crusial to network operation.
> If you duble routers 1, 2 and 3 you can get more redundancy in youre
> planning and easyer implementation.
> Separate network for wireless and dsl for example.

I'm not real clear on what you mean by doubling the routers. If you are
talking about dividing responsibility for some of the paths (interfaces)
off to 2nd machine at each of the locations, I don't think this would be
best. First, our budget currently won't support purchase of duplicate
hardware. Second, it means more to manage for an already overworked
staff. 

When the budget will support additional purchases, I'd favor a fail-over
Linux cluster configuration, moving to a split passive backplane with
multi-port Ethernet cards. I certainly could press some old PC's into
service, but network closets don't have much room and recycled PC's tend
to produce more heat and have less efficient air flow than rack-mount
chassis.

> Routing:
> You have to wach out for the problem that if the dsl at the corp network
> go's down that packeges don't get send around in circles over the
> wireless network and get in a endles loop. That will bring the hole
> network down in mather of seconds.

Would you expect this to be a problem with multi-path routing? I'll be
sure to simulate bringing down each link when the new routers are
deployed to see if this happens. I thought that the BGP daemon on the
affected router would be smart enough to detect the dead link and notify
its neighbors so they could pass the traffic through an open link to the
same destination, in theory through next available link with the most
bandwidth.

> Conclusion:
> It looks like a verrie nice project.
> But I think you need to split the network up for bether managemend and
> redundancy.
> Then some machiens will be router and some will be firewall
> Keep me informed.
> Anny questions mail me. Willing to help. Even with my bad english.

Thanks for the comments and offer to help. I'm hoping to return to this
project this week. I just had an RF link go down so my time is pretty
divided right now.

--Cal Webster



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Which Distro for This Firewall/Router?

2004-03-22 Thread Calvin Webster 
On Mon, 2004-03-22 at 11:37, Erich Titl wrote:
> >> > Port Knocking to trigger remote vpn/ssh access
> >> ?
> >> 
> >
> >I'm referring to the method of accessing closed external ports using a
> >predefined sequence of connection attempts across one or more ports. As
> >described in the Jun 2003 SysAdmin article, "The log is monitored for
> >specific port sequences that encode information used to modify firewall
> >rules, which are changed to open or close ports for a specific IP
> >address." I'm certain this will be possible using LEAF.
> 
> Sure if you port the software. 
> I'd rather use a monitoring channel through an IPSEC connection to the firewall, or 
> allow access through ssh using RSA.
> 
> my 0.02
> 

There is no software to port, so far as I can tell. The log monitoring
and rule setting is all done via an external Perl script. Routing
daemons continue to function as they have. They'll just be told to
re-read their configuration files when it's time to open a specific port
to a specific IP address for the specified duration. You may want to
read the article I cited if you can lay your hands on a copy of the
SysAdmin mag. It's a pretty clever method, adding another valuable tool
the the network manager's belt. 

The premise behind port knocking is that external ports remain closed.
An open port is vulnerable to port scans. Once an open port is
identified, a DOS (or other) attack can be launched. Without a port to
scan, the likelihood of a DOS attack is dramatically diminished. With
port knocking, the port is opened to the specified IP address only when
connection attempts to the correct combination of ports in the correct
sequence and timing is received, with optionally encrypted payloads.
When it's time to make the connection, you can still use IPSEC
authentication and encryption.

Thanks for the comments!

--Cal Webster



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Dachstein routing to squid

2004-03-22 Thread Charles Steinkuehler 
LaRoy McCann wrote:
I have spent all weekend looking and trying to figure out how to make this 
work.  Now it is time to ask for help.

I have Dachstein CD running as a proxy-arp firewall for a system.  Is it 
possible to have the firewall redirect all port 80 requests from the DMZ 
(eth2) and send them to port 3128 on another box (Squid-cache) in the 
DMZ.  And then accept the requests from the Squid box to the internet (eth0).

I know this is probably easier using Bearing, but I have not taken the time 
to try that.  I have always used Dachsetin.

I have looked thru network.conf and can not find any rules for redirect or 
forwarding within the same interface, just from one interface to the other. 
I have even tried to add an ipmaskadm rule manually and it did not 
work.  Do I need to place the squid box on the internal interface?

If someone is doing this now, could you please post the info or a link to 
some info showing the correct settings.
If this is anything like port-forwarding, it's a *LOT* easier if the 
router is between the two boxes (client and proxy), rather than having 
both be on the same net.  With port-forwarding, the problem is the 
outbound packets need to get mangled (for destination IP), and then 
mangled again on return (for source IP), but with both boxes on the same 
network, the reply packets go directly from server->client, they don't 
match what the client's expecting (for source IP), and they get dropped.

You can use tcpdump to see if this is what's happening to you.  If so, I 
recommend another NIC (they're cheap!) configured with a private IP 
range.  Just stick your proxy in the new network, setup the Dachstein 
rules so the new IP range is masqueraded to the internet, and you should 
be all set to craft some custom redirect rules.

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Which Distro for This Firewall/Router?

2004-03-22 Thread Eric Spakman 
Cal,

> > > I'm referring to the method of accessing closed external ports using a
> > > predefined sequence of connection attempts across one or more ports. As
> > > described in the Jun 2003 SysAdmin article, "The log is monitored for
> > > specific port sequences that encode information used to modify firewall
> > > rules, which are changed to open or close ports for a specific IP
> > > address." I'm certain this will be possible using LEAF.
> > > 
> > This should be possible but I never have seen specific programms for 
> > this purpose. Maybe snort (snort.lrp) or portsentry (psentry.lrp) 
> > will do this job. 
> 
> I've written Perl scripts to monitor logs in the past. Should just be a
> matter of triggering the "rule-mod" event on log content, then getting
> the daemon to re-read the rules.
>
We don't have perl packages for Bering-uClibc
 
> > > > > Fastest available link should be chosen when redundant paths exist.
> > > > > 
> > > > not currently implemented (multipath) but on the todo list for the 
> > > > zebra (quagga) packages.
> > > 
> > > It was my understanding that BGP would take care of this. Maybe I didn't
> > > accurately describe my parameters. When I said "fastest link" I meant
> > > the one with the most available bandwidth at a given point in time.
> > > Linux magazine recently had a pretty good article about dynamic routing
> > > protocols.In the Mar 2004 issue it clearly describes load balancing
> > > capabilities of BGP-4.
> > > 
> > > If my understanding of BGP is correct, what is it that you are saying is
> > > not currently implemented?
> > > 
> > The following compile setting is left to default (1), but will be set 
> > to 0 with the next release.
> > 
> > --enable-multipath=ARG
> > Enable support for Equal Cost Multipath. ARG is the maximum number of 
> > ECMP paths to allow, set to 0 to allow unlimited number of paths. 
> > 
> > But that has indeed nothing todo with selecting the fastest link, if 
> > the cost are different the fastest link will be choosen by the 
> > routing daemon.
> 
> So, to get this functionality now, I'd need to set this flag
> appropriately and recompile. In my example topology, 3 of the routers
> have 2 paths to each of the other two. I don't think I currently have
> more than 2 links to the same destination. However, depending upon the
> reliability of these, we may add an on-demand dial-up link for
> emergencies. We also may have access to building-to-building fiber links
> sometime in the future as well. Any idea when the next release will be
> out?
> 
You only need to set this flag if you want load-balancing for those 
lines. For fallback this isn't necessary, the on-demand link will 
have a higher cost set and will only be enabled when the primary link 
fails. BGP or OSPF can handle this without problems.
You may also take a look at the ipvsadm.lrp package, it will give you 
HSRP (Hot Standby Router) like operation 
(http://www.linuxvirtualserver.org)

Our routing source is based on Quagga (Zebra) software, we will 
create and test new packages when the next version of that software 
is available. But I have no idea when the next version of Quagga will 
be released exactly...

> So, as long as I have multi-paths set to greater than 1, the routing
> daemons should be able to accomplish load balancing of the links.
> 
Yes, but if you set it to "0" you have support for unlimited number 
of paths.

Eric


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Sending mail from a script

2004-03-22 Thread Roger E McClurg 
I know that mail messages are normally terminated with a control-d. Can 
someone please tell me how to end a mail message when it is sent from a 
script file in Bering?  I know it is a simple trick, but for the life of 
me I cant remember it.

Roger





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Re: RAM disks

2004-03-22 Thread Shango 
Thank you Erich & Oliver - our RAM disks are now optimal.

Regards,
Shango Oluwa



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] LMSENSORS

2004-03-22 Thread Roger E McClurg 
Does anyone know of a lmsensors package for Bering?

Roger





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Which Distro for This Firewall/Router?

2004-03-22 Thread Calvin Webster 
On Mon, 2004-03-22 at 14:33, Eric Spakman wrote:
> Cal,
> 
> > > > I'm referring to the method of accessing closed external ports using a
> > > > predefined sequence of connection attempts across one or more ports. As
> > > > described in the Jun 2003 SysAdmin article, "The log is monitored for
> > > > specific port sequences that encode information used to modify firewall
> > > > rules, which are changed to open or close ports for a specific IP
> > > > address." I'm certain this will be possible using LEAF.
> > > > 
> > > This should be possible but I never have seen specific programms for 
> > > this purpose. Maybe snort (snort.lrp) or portsentry (psentry.lrp) 
> > > will do this job. 
> > 
> > I've written Perl scripts to monitor logs in the past. Should just be a
> > matter of triggering the "rule-mod" event on log content, then getting
> > the daemon to re-read the rules.
> >
> We don't have perl packages for Bering-uClibc

Well, that could be a problem then. I'm sure it's still do-able, but it
might be a little more difficult to implement. I know we're trying to
keep the footprint as small as possible so it makes sense that the
rather large Perl distro isn't there. Maybe there's a "mini-perl"
somewhere. Or, a working Perl script could be converted to C and
compiled to run by itself.
 
> > > > > > Fastest available link should be chosen when redundant paths exist.
> > > > > > 
> > > > > not currently implemented (multipath) but on the todo list for the 
> > > > > zebra (quagga) packages.
> > > > 
> > > > It was my understanding that BGP would take care of this. Maybe I didn't
> > > > accurately describe my parameters. When I said "fastest link" I meant
> > > > the one with the most available bandwidth at a given point in time.
> > > > Linux magazine recently had a pretty good article about dynamic routing
> > > > protocols.In the Mar 2004 issue it clearly describes load balancing
> > > > capabilities of BGP-4.
> > > > 
> > > > If my understanding of BGP is correct, what is it that you are saying is
> > > > not currently implemented?
> > > > 
> > > The following compile setting is left to default (1), but will be set 
> > > to 0 with the next release.
> > > 
> > > --enable-multipath=ARG
> > > Enable support for Equal Cost Multipath. ARG is the maximum number of 
> > > ECMP paths to allow, set to 0 to allow unlimited number of paths. 
> > > 
> > > But that has indeed nothing todo with selecting the fastest link, if 
> > > the cost are different the fastest link will be choosen by the 
> > > routing daemon.
> > 
> > So, to get this functionality now, I'd need to set this flag
> > appropriately and recompile. In my example topology, 3 of the routers
> > have 2 paths to each of the other two. I don't think I currently have
> > more than 2 links to the same destination. However, depending upon the
> > reliability of these, we may add an on-demand dial-up link for
> > emergencies. We also may have access to building-to-building fiber links
> > sometime in the future as well. Any idea when the next release will be
> > out?
> > 
> You only need to set this flag if you want load-balancing for those 
> lines. For fallback this isn't necessary, the on-demand link will 
> have a higher cost set and will only be enabled when the primary link 
> fails. BGP or OSPF can handle this without problems.
> You may also take a look at the ipvsadm.lrp package, it will give you 
> HSRP (Hot Standby Router) like operation 
> (http://www.linuxvirtualserver.org)

At peak loads even the 100 Mbps wireless gets saturated for short
periods. With overhead it's really only about 30-40 Mbps. Load balancing
with the slower DSL links would still offer some benefit I think. I
definitely don't see any benefit to balancing with a dial-up link,
though. Are the links that get balanced selectable? If I enable
unlimited multipaths, will it try balance all links between identical
networks?

I was going to model the entire project on VMware, but I found that
VMware limits number of NICs to 3, too few for most of my routers. I
suppose I can still model some of this functionality though, to get the
feel of the software. It will also help answer some of the "dumb"
questions without cluttering the mailing list.

Thank you for the follow-up.

--Cal Webster





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Sending mail from a script

2004-03-22 Thread M Lu 
Did you try something like

mail -s "subject" [EMAIL PROTECTED]  < yourmessage.txt

where yourmessage.txt is the file containing your message.




- Original Message - 
From: "Roger E McClurg" <[EMAIL PROTECTED]>
To: "leaf" <[EMAIL PROTECTED]>
Sent: Monday, March 22, 2004 3:18 PM
Subject: [leaf-user] Sending mail from a script


> I know that mail messages are normally terminated with a control-d. Can 
> someone please tell me how to end a mail message when it is sent from a 
> script file in Bering?  I know it is a simple trick, but for the life of 
> me I cant remember it.
> 
> Roger
> 


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Which Distro for This Firewall/Router?

2004-03-22 Thread Eric Spakman 
Cal,

> > > I've written Perl scripts to monitor logs in the past. Should just be a
> > > matter of triggering the "rule-mod" event on log content, then getting
> > > the daemon to re-read the rules.
> > >
> > We don't have perl packages for Bering-uClibc
> 
> Well, that could be a problem then. I'm sure it's still do-able, but it
> might be a little more difficult to implement. I know we're trying to
> keep the footprint as small as possible so it makes sense that the
> rather large Perl distro isn't there. Maybe there's a "mini-perl"
> somewhere. Or, a working Perl script could be converted to C and
> compiled to run by itself.
>
A small footprint is not the only issue, extra software on a 
router/firewall can give higher security risks also.

If I'm not mistaken there is indeed something like "miniperl" I will 
take a look at it.
  
> > You only need to set this flag if you want load-balancing for those 
> > lines. For fallback this isn't necessary, the on-demand link will 
> > have a higher cost set and will only be enabled when the primary link 
> > fails. BGP or OSPF can handle this without problems.
> > You may also take a look at the ipvsadm.lrp package, it will give you 
> > HSRP (Hot Standby Router) like operation 
> > (http://www.linuxvirtualserver.org)
> 
> At peak loads even the 100 Mbps wireless gets saturated for short
> periods. With overhead it's really only about 30-40 Mbps. Load balancing
> with the slower DSL links would still offer some benefit I think. I
> definitely don't see any benefit to balancing with a dial-up link,
> though. Are the links that get balanced selectable? If I enable
> unlimited multipaths, will it try balance all links between identical
> networks?
> 
Equal Cost Multipath is something else than loadbalancing, I wasn't 
fully clear in my previous mail. You probably won't set the costs for 
a 100 Mb and dialup link equal, that means that the router thinks 
those lines are equal in speed and half of the traffic will send over 
the slow link ;-) ECM is only meant for Equal lines.
I have to look at the exact function and impact of the ECM setting.

> I was going to model the entire project on VMware, but I found that
> VMware limits number of NICs to 3, too few for most of my routers. I
> suppose I can still model some of this functionality though, to get the
> feel of the software. It will also help answer some of the "dumb"
> questions without cluttering the mailing list.
> 
> Thank you for the follow-up.
> 
> --Cal Webster
> 
> 
> 
> 




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Sending mail from a script

2004-03-22 Thread Charles Steinkuehler 
Roger E McClurg wrote:
I know that mail messages are normally terminated with a control-d. Can 
someone please tell me how to end a mail message when it is sent from a 
script file in Bering?  I know it is a simple trick, but for the life of 
me I cant remember it.
control-d is the keyboard equivelent for "end-of-file".  You can simply 
pipe something to (or otherwise redirect the input of) the mail command, 
which will correctly identify the end of file, ie:

echo "hello world" | mail -s test [EMAIL PROTECTED]

-or-

mail -s test [EMAIL PROTECTED] 

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Which Distro for This Firewall/Router?

2004-03-22 Thread Peter Mueller 
> I was going to model the entire project on VMware, but I found that
> VMware limits number of NICs to 3, too few for most of my routers. I

I don't think user-mode-linux has that built-in restriction.

http://user-mode-linux.sourceforge.net/


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Sending mail from a script

2004-03-22 Thread JamesSturdevant 
I think the syntax you're looking for is:

mail-s "In Line" [EMAIL PROTECTED] <
JamesS
At 03:18 PM 3/22/2004 -0500, Roger E McClurg wrote:
I know that mail messages are normally terminated with a control-d. Can
someone please tell me how to end a mail message when it is sent from a
script file in Bering?  I know it is a simple trick, but for the life of
me I cant remember it.
Roger





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html